nginx or node app using ssl

Question

I have nodejs express sitting behind nginx. Currently everything works fine. I have Nginx implemented with SSL to utilize https, which then simply forwards the request along to the running node application at the specified port. I'm wondering if this is the best way to do it though? Here's what I currently have...

server {
    listen 80;
    return 301 https://$host$request_uri;
}

server {
    listen 443 ssl;
    server_name mysite.somethingelse.com www.mysite.somethingelse.*;
    ssl_certificate /path/to/my/cert.pem;
    ssl_certificate_key /path/to/my/key.key;
    location / {
        proxy_pass http://localhost:3000;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection 'upgrade';
        proxy_set_header Host $host;
        proxy_cache_bypass $http_upgrade;
    }
}

What if I simply implement an https server on the express end? And then proxy the request to that, and let that do all the decoding? Something like this:

server {
    listen 80;
    return 301 https://$host$request_uri;
}

server {
    listen 443;
    server_name mysite.somethingelse.com www.mysite.somethingelse.*;
    location / {
        proxy_pass https://localhost:3000;
        proxy_http_version 1.1;
        proxy_cert path/to/cert.pem
        proxy_key path/to/key.key
    }
}

This second version is likely not even correct. But what I'm going for is implementing SSL on the node app rather than letting nginx do it.

Do I gain anything from doing one vs the other?
What's the best practice here... letting nginx or the node app do this?
And, assuming it's better to do it on the node app, what is the correct implementation here of setting of nginx?

Thank you!

https://stackoverflow.com/a/39701582/1497533 (You use `location /` but how can nginx know the requested location if you don't decrypt the request first?) — ippi, Jun 27 '17 at 07:02

score 0 · Accepted Answer · answered Jun 27 '17 at 06:45

In case if you are in pursuit for performance and going to implement load balancing across several node instances, in is a good idea to terminate SSL on a standalone machine(s). But if you are going to run a single instance of your node app and foreseen load is not high, then it is probably simpler to setup SSL in node. Also I would recommend you to refrain from using nginx and switch to NAT (using firewall) because this approach will use less resources.

Another argument in favor of terminating SSL on nginx is documentation and configuration best practices. You should know that configuring SSL is not only about setting up certificate and private key, it's about lots of security considerations about different ciphers, protocols and vulnerabilities. And it is easier to find working solutions, tips and configurations examples for nginx than for node.

So regarding your questions:

It depends on your goals.
It depends on your goals, but I would recommend you currently to use nginx for SSL termination.
I would recommend you to implement NAT instead of nginx in this case.

nginx or node app using ssl

1 Answers1